Adobe issues security advisory for Flash zero-day flaw
By Robert Westervelt, News Editor 22 Jul 2009 | SearchSecurity.com
Adobe Systems Inc. has issued a security advisory warning users of a critical vulnerability in current versions of Flash Player and an authplay.dll component that ships with Adobe Reader and Acrobat v9.x.
Adobe rated the vulnerability critical and said it could cause Flash Player to crash and allow an attacker to execute code and take control of the affected system. Adobe also confirmed limited attacks against Adobe Reader v9 on Windows.
"We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009," wrote Wendy Poland of Adobe's security team in the Adobe Product Security Incident Response Team (PSIRT) blog.
Until a patch is issued, Adobe said users could delete, rename or remove access to the authplay.dll file that ships with Adobe Reader and Acrobat to mitigate the threat. Once the workaround is deployed, the programs will crash when opening a PDF containing Flash content.
"Windows Vista users should consider enabling UAC (User Access Control) to mitigate the impact of a potential exploit," Poland said. The United States Computer Emergency Readiness Team (US-CERT) issued a vulnerability note warning that the malicious SWF file could be hosted or embedded in a Web page. The organization said users can disable Flash or selectively enable Flash content in their browser until a patch is released.
Bojan Zdrnja, an incident handler with the SANS Internet Storm Center confirmed that a low number of malicious sites are serving the Flash exploit. The exploit includes separate code for both Mozilla Firefox and Microsoft Internet Explorer users, Zdrnja said.
"We confirmed that the links have been injected in legitimate websites to create a drive-by attack, as expected," Zdrnja wrote in a SANS diary entry.
Adobe announced on Tuesday that it was investigating the possibility of a Flash Player flaw, but few details were available.
Security researchers at Symantec Corp.'s Security Response came across an attack technique attempting to exploit the flaw on Monday. A Trojan, embedded in a malicious PDF file, exploits the Flash vulnerability and then drops and executes a Trojan onto a user's system. Researchers in McAfee Avert Labs have also posted details about the Flash vulnerability and the ongoing attacks.
"This is something that could be potentially serious because it affects a range of platforms," said Marc Fossi, manager of research and development for Symantec Security Response in an interview with SearchSecurity.com. "So far attacks have been limited."
Symantec's Patrick Fitzgerald said the current attacks attempt to drop malware on the victim's machine and "possibly open a back door." The PDF exploiting the vulnerability includes multiple Flash streams (FWS), Fitzgerald wrote on the Symantec security blog.